NVD脆弱性情報トップ

検索メニュー表示

ベンダー名
プロダクト・サービス名
タイトル
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
公表日降順
更新日降順
表示数

NVD（National Vulnerability Database）で管理されている脆弱性の一覧を検索することが出来ます。
JVN（Japan Vulnerability Note）より先に脆弱性情報が更新される事が多いため、JVNに未記載の脆弱性が更新されている場合があります。

JVN（Japan Vulnerability Note）に関連した脆弱性がある場合は詳細画面で情報を表示します。

CWEで検索する場合は、CWE概要を参照して、CWE番号を確認してください。

CRITICAL
HIGH
MEDIUM
LOW

更新日:2026年4月26日4:08

No	CVSS	レベル攻撃区分	ベンダー名	プロダクト名	タイトル	CWE	CVE	更新日	公表日	影響表示	Exploit PoC 検索
601	7.6	HIGH ネットワーク	openremote	openremote	OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user wh… Update	CWE-611 XML 外部エンティティ参照の不適切な制限	CVE-2026-40882	2026-04-24 22:24	2026-04-23	表示	GitHub Exploit DB Packet Storm

602	8.3	HIGH ネットワーク	rustfs	rustfs	RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions… Update	CWE-862 認証の欠如	CVE-2026-40937	2026-04-24 22:12	2026-04-23	表示	GitHub Exploit DB Packet Storm

603	7.0	HIGH ネットワーク	openremote	openremote	OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users… Update	CWE-284 不適切なアクセス制御	CVE-2026-41166	2026-04-24 22:10	2026-04-23	表示	GitHub Exploit DB Packet Storm

604	5.3	MEDIUM ネットワーク	pypdf_project	pypdf	pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-ref… Update	CWE-834 過度なイテレーション	CVE-2026-41168	2026-04-24 22:07	2026-04-23	表示	GitHub Exploit DB Packet Storm

605	6.2	MEDIUM ローカル	-	-	A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.8 and iPadOS 18.7.8, iOS 26.4.2 and iPadOS 26.4.2. Notifications marked for deletion could be unexpectedly … Update	CWE-359 認可されていないアクターへの個人情報の漏えい	CVE-2026-28950	2026-04-24 06:16	2026-04-23	表示	GitHub Exploit DB Packet Storm

606	6.5	MEDIUM ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause de… Update	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2025-0186	2026-04-24 05:51	2026-04-23	表示	GitHub Exploit DB Packet Storm

607	6.5	MEDIUM ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause de… Update	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2025-3922	2026-04-24 05:50	2026-04-23	表示	GitHub Exploit DB Packet Storm

608	6.5	MEDIUM ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause den… Update	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2025-6016	2026-04-24 05:49	2026-04-23	表示	GitHub Exploit DB Packet Storm

609	2.7	LOW ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authe… Update	CWE-863 不正な認証	CVE-2025-9957	2026-04-24 05:46	2026-04-23	表示	GitHub Exploit DB Packet Storm

610	6.5	MEDIUM ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authe… Update	CWE-770 制限またはスロットリング無しのリソースの割り当て	CVE-2026-1660	2026-04-24 05:45	2026-04-23	表示	GitHub Exploit DB Packet Storm

611	3.5	LOW ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content int… Update	CWE-1021 レンダリングされたユーザインターフェースレイヤまたはフレームの不適切な制限	CVE-2026-3254	2026-04-24 05:43	2026-04-23	表示	GitHub Exploit DB Packet Storm

612	8.1	HIGH ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execut… Update	CWE-352 同一生成元ポリシー違反	CVE-2026-4922	2026-04-24 05:40	2026-04-23	表示	GitHub Exploit DB Packet Storm

613	6.1	MEDIUM ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an una… Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-5262	2026-04-24 05:38	2026-04-23	表示	GitHub Exploit DB Packet Storm

614	4.3	MEDIUM ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in pub… Update	CWE-863 不正な認証	CVE-2026-5377	2026-04-24 05:37	2026-04-23	表示	GitHub Exploit DB Packet Storm

615	8.1	HIGH ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScrip… Update	CWE-41 パスの等価性の不適切な解決	CVE-2026-5816	2026-04-24 05:30	2026-04-23	表示	GitHub Exploit DB Packet Storm

616	5.4	MEDIUM ネットワーク	gitlab	gitlab	GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or inco… Update	CWE-613 不適切なセッション期限	CVE-2026-6515	2026-04-24 05:18	2026-04-23	表示	GitHub Exploit DB Packet Storm

617	5.8	MEDIUM ネットワーク	free5gc	free5gc udr	free5GC UDR is the user data repository (UDR) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.2, a fail-open request handling … Update	CWE-754 例外的な状態における不適切なチェック	CVE-2026-40343	2026-04-24 04:44	2026-04-22	表示	GitHub Exploit DB Packet Storm

618	7.5	HIGH ネットワーク	free5gc	free5gc pcf	free5GC UDR is the Policy Control Function (PCF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. A memory leak vulnerability in versions prior to 1.4.3 allows any… Update	CWE-400 リソースの枯渇	CVE-2026-41135	2026-04-24 04:41	2026-04-22	表示	GitHub Exploit DB Packet Storm

619	5.3	MEDIUM ネットワーク	free5gc	amf free5gc	free5GC AMF provides Access & Mobility Management Function (AMF) for free5GC, an an open-source project for 5th generation (5G) mobile core networks. Prior to version 1.4.3, the `HTTPUEContextTransfe… Update	CWE-440 予期せぬ動作	CVE-2026-41136	2026-04-24 04:39	2026-04-22	表示	GitHub Exploit DB Packet Storm

620	7.5	HIGH ネットワーク	free5gc	free5gc	free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether th… Update	CWE-285 CWE-636 不適切な認可安全でない失敗処理	CVE-2026-40248	2026-04-24 04:20	2026-04-17	表示	GitHub Exploit DB Packet Storm

621	6.5	MEDIUM ネットワーク	wwbn	avideo	WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint `plugin/Live/view/Live_restreams/list.json.php` contains an Insecure Direct Object Reference (IDOR) vulnerabilit… Update	CWE-639 ユーザ制御の鍵による認証回避	CVE-2026-40907	2026-04-24 04:12	2026-04-22	表示	GitHub Exploit DB Packet Storm

622	5.3	MEDIUM ネットワーク	wwbn	avideo	WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file `git.json.php` at the web root executes `git log -1` and returns the full output as JSON to any unauthenticated user… Update	CWE-200 情報漏えい	CVE-2026-40908	2026-04-24 04:09	2026-04-22	表示	GitHub Exploit DB Packet Storm

623	6.5	MEDIUM ネットワーク	wwbn	avideo	WWBN AVideo is an open source video platform. In versions 29.0 and prior, the locale save endpoint (`locale/save.php`) constructs a file path by directly concatenating `$_POST['flag']` into the path … Update	CWE-22 パス・トラバーサル	CVE-2026-40909	2026-04-24 03:55	2026-04-22	表示	GitHub Exploit DB Packet Storm

624	6.1	MEDIUM ネットワーク	oracle	identity_manager	Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: Identity Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitabl… Update	CWE-284 CWE-601 不適切なアクセス制御オープンリダイレクト	CVE-2026-34283	2026-04-24 03:50	2026-04-22	表示	GitHub Exploit DB Packet Storm

625	6.1	MEDIUM ネットワーク	oracle	business_process_management_suite	Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.… Update	CWE-284 CWE-601 不適切なアクセス制御オープンリダイレクト	CVE-2026-34284	2026-04-24 03:50	2026-04-22	表示	GitHub Exploit DB Packet Storm

626	8.7	HIGH ネットワーク	oracle	http_server	Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability… Update	CWE-284 不適切なアクセス制御	CVE-2026-34291	2026-04-24 03:48	2026-04-22	表示	GitHub Exploit DB Packet Storm

627	7.2	HIGH ネットワーク	oracle	weblogic_server	Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerabili… Update	CWE-284 不適切なアクセス制御	CVE-2026-34292	2026-04-24 03:47	2026-04-22	表示	GitHub Exploit DB Packet Storm

628	8.8	HIGH ネットワーク	nicolargo	glances	Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation … Update	CWE-918 サーバサイドリクエストフォージェリ	CVE-2026-35587	2026-04-24 03:42	2026-04-21	表示	GitHub Exploit DB Packet Storm

629	9.8	CRITICAL ネットワーク	reconurge	flowsint	Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to ma… Update	CWE-78 OSコマンド・インジェクション	CVE-2026-32311	2026-04-24 03:41	2026-04-21	表示	GitHub Exploit DB Packet Storm

630	8.4	HIGH ローカル	gitlawb	openclaude	OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool… Update	CWE-22 CWE-284 パス・トラバーサル不適切なアクセス制御	CVE-2026-35570	2026-04-24 03:37	2026-04-21	表示	GitHub Exploit DB Packet Storm

631	10.0	CRITICAL ネットワーク	anthropic	claude_code	Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Clau… Update	CWE-22 CWE-61 パス・トラバーサル UNIX Symbolic Link のフォロー	CVE-2026-39861	2026-04-24 03:36	2026-04-21	表示	GitHub Exploit DB Packet Storm

632	5.3	MEDIUM ネットワーク	netfoundry	zrok	zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a … Update	CWE-284 CWE-863 不適切なアクセス制御不正な認証	CVE-2026-40304	2026-04-24 03:33	2026-04-18	表示	GitHub Exploit DB Packet Storm

633	7.5	HIGH ネットワーク	netfoundry	zrok	zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, cou… Update	CWE-400 CWE-789 リソースの枯渇過剰なサイズ値のメモリ割り当て	CVE-2026-40303	2026-04-24 03:33	2026-04-18	表示	GitHub Exploit DB Packet Storm

634	6.1	MEDIUM ネットワーク	netfoundry	zrok	zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/… Update	CWE-79 CWE-116 クロスサイト・スクリプティング（XSS）不適切なエンコード、または出力のエスケープ	CVE-2026-40302	2026-04-24 03:32	2026-04-18	表示	GitHub Exploit DB Packet Storm

635	7.5	HIGH ネットワーク	freedom	securedrop-client	SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Se… Update	CWE-36 CWE-73 絶対パストラバーサルファイル名やパス名の外部制御	CVE-2026-35465	2026-04-24 03:31	2026-04-18	表示	GitHub Exploit DB Packet Storm

636	9.9	CRITICAL ネットワーク	linuxfoundation	spinnaker	Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected arti… Update	CWE-94 コード・インジェクション	CVE-2026-32613	2026-04-24 03:30	2026-04-21	表示	GitHub Exploit DB Packet Storm

637	9.9	CRITICAL ネットワーク	linuxfoundation	spinnaker	Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the c… Update	CWE-20 不適切な入力確認	CVE-2026-32604	2026-04-24 03:30	2026-04-21	表示	GitHub Exploit DB Packet Storm

638	8.8	HIGH ネットワーク	lawnchair	lawnchair	Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code … Update	CWE-77 コマンドインジェクション	CVE-2026-39866	2026-04-24 03:26	2026-04-21	表示	GitHub Exploit DB Packet Storm

639	6.5	MEDIUM ネットワーク	oracle	peoplesoft_enterprise_scm_purchasing	Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allow… Update	CWE-284 不適切なアクセス制御	CVE-2026-34295	2026-04-24 03:25	2026-04-22	表示	GitHub Exploit DB Packet Storm

640	4.3	MEDIUM ネットワーク	oracle	agile_product_lifecycle_management_for_process	Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. E… Update	CWE-200 情報漏えい	CVE-2026-34296	2026-04-24 03:22	2026-04-22	表示	GitHub Exploit DB Packet Storm

641	8.8	HIGH ネットワーク	m1k1o	neko	Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative… Update	CWE-20 CWE-269 CWE-284 CWE-639 CWE-862 不適切な入力確認不適切な権限管理不適切なアクセス制御ユーザ制御の鍵による認証回避認証の欠如	CVE-2026-39386	2026-04-24 03:21	2026-04-21	表示	GitHub Exploit DB Packet Storm

642	3.5	LOW ネットワーク	-	-	The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This al… Update	CWE-79 クロスサイト・スクリプティング（XSS）	CVE-2026-4512	2026-04-24 03:16	2026-04-23	表示	GitHub Exploit DB Packet Storm

643	5.3	MEDIUM ネットワーク	-	-	The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders … Update	CWE-200 情報漏えい	CVE-2026-4106	2026-04-24 03:16	2026-04-23	表示	GitHub Exploit DB Packet Storm

644	6.9	MEDIUM ネットワーク	-	-	DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses `DOMP… New	CWE-79 CWE-1321 クロスサイト・スクリプティング（XSS）オブジェクトプロトタイプ属性の不適切に制御された変更 (プロトタイプの汚染)	CVE-2026-41238	2026-04-24 03:16	2026-04-24	表示	GitHub Exploit DB Packet Storm

645	7.2	HIGH ネットワーク	-	-	EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass t… Update	CWE-23 相対的パストラバーサル	CVE-2026-33733	2026-04-24 03:16	2026-04-23	表示	GitHub Exploit DB Packet Storm

646	7.5	HIGH ネットワーク	oracle	hcm_common_architecture	Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable… Update	CWE-200 情報漏えい	CVE-2026-34297	2026-04-24 03:10	2026-04-22	表示	GitHub Exploit DB Packet Storm

647	6.5	MEDIUM ネットワーク	jupyter	nbconvert	The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intend… Update	CWE-22 CWE-73 パス・トラバーサルファイル名やパス名の外部制御	CVE-2026-39377	2026-04-24 02:51	2026-04-21	表示	GitHub Exploit DB Packet Storm

648	6.5	MEDIUM ネットワーク	jupyter	nbconvert	The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's mark… Update	CWE-22 CWE-73 パス・トラバーサルファイル名やパス名の外部制御	CVE-2026-39378	2026-04-24 02:50	2026-04-21	表示	GitHub Exploit DB Packet Storm

649	8.1	HIGH ネットワーク	openmage	magento	Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr… Update	CWE-502 信頼性のないデータのデシリアライゼーション	CVE-2026-25524	2026-04-24 02:47	2026-04-21	表示	GitHub Exploit DB Packet Storm

650	4.9	MEDIUM ネットワーク	openmage	magento	Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr… Update	CWE-22 CWE-184 パス・トラバーサル不完全なブラックリスト	CVE-2026-25525	2026-04-24 02:47	2026-04-21	表示	GitHub Exploit DB Packet Storm